Best way to define multiple processors based on a group of conditions

Bryan_Hamilton · June 12, 2021, 10:57am

Hi all I have been trying to work out the way define multiple processors based on a group of conditions. The below snippet doesn't seem to be working but hopefully it will give you an idea of what I am trying to accomplish.

# winlogbeat.yml
processors:  
  - when.and:
    - equals.event.module: 	"sysmon"
    - equals.winlog.event_id: 	1
    - equals.user.id: "S-1-5-18"    
    # if the above conditions are met then run the following processors
	
        # processor01
      - drop_event.when.and:
        - equals.process.executable: "C:\\Windows\\System32\\smss.exe"
        - equals.process.parent.executable: "C:\\Windows\\System32\\smss.exe"
        # processor02
      - drop_event.when.and:
        - equals.process.parent.executable: "C:\\Windows\\System32\\smss.exe"
        - or: 
          - equals.process.command_line: "%%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16"
          - equals.process.command_line: "%%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16"
        # processor03 ...

The documentation details how do define conditions within the processor itself:

processors:
    - <processor_name>:
        when:
          <condition>
        <parameters>

but I am trying to first define some conditions before even defining the processor.
I couldn't find the guide on how to used the an AND/OR statement inside an IF statement in the processors documentation so I guess it's acheiveable with a when statement? Not sure if that is even supported. Let me know if there is best/supported way to accomplish this. I essentially want want to define multiple processors but based on multiple conditions. I know I can define the original conditions directly under the processor but there will be tens of those processors so I want to cut down in the number of lines and make it easier to read/update.

Any help will be appreciated.

Kind regards

kumarabhi · June 13, 2021, 6:45am

YAML files support anchors. Please refer Using variables in YAML files which should provide way to define and reuse conditions.

Bryan_Hamilton · June 13, 2021, 10:21am

Hi @kumarabhi , thanks for the advice. I have looked into your proposed solution. After reading about yaml anchors, I think I understand the concept but I don't think I am using it right. I have tried doing something like this:

processors:  
  - sysmon_process_create_by_system: &sysmon_process_create_by_system
    - equals.event.module:  "sysmon"
    - equals.winlog.event_id:  1
    - equals.user.id: "S-1-5-18"    

     # Drop Session Manager process Start
  - drop_event.when.and: 
    - *sysmon_process_create_by_system
    - equals.process.executable: "C:\\Windows\\System32\\smss.exe"
    - equals.process.parent.executable: "C:\\Windows\\System32\\smss.exe"

Event though the config test says evertying is OK, the above lines do not appear in the export config output and the events are still making it to the elastic cluster.

I must be doing something wrong.

system · July 11, 2021, 12:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.